Skip to main content
Calico Cloud documentation

Network Access report

To create an Inventory report, create a GlobalReport with the reportType set to network-access.

The following sample command creates a GlobalReport that results in a daily network access report for endpoints in the public namespace.

kubectl apply -f - << EOF
apiVersion: projectcalico.org/v3
kind: GlobalReport
metadata:
name: daily-public-network-access-report
labels:
deployment: production
spec:
reportType: network-access
endpoints:
namespaces:
names:
- public
schedule: 0 0 * * *
EOF
note

There is a known issue that audit logs do not contain deletion events for resources that were deleted implicitly as part of a namespace deletion event. Currently, this means policies and pods that have been deleted in this way may still appear in the reports that cover any period within the next day.

Downloadable reports

summary.csv

A summary CSV file that includes details about the report parameters and the top level counts.

HeadingDescriptionFormat
startTimeThe report interval start time.RFC3339 string
endTimeThe report interval end time.RFC3339 string
endpointSelectorThe endpoint selector used to restrict in-scope endpoints by endpoint label selection.selector string
namespaceNamesThe set of namespace names used to restrict in-scope endpoints by namespace.";" separated list of namespace names
namespaceSelectorThe namespace selector used to restrict in-scope endpoints by namespace label selection.selector string
serviceAccountNamesThe set of service account names used to restrict in-scope endpoints by service account.";" separated list of service account names
serviceAccountSelectorsThe service account selector used to restrict in-scope endpoints by service account label selection.selector string
endpointsNumIngressProtectedThe number of in-scope endpoints that were always ingress protected during the report interval.number
endpointsNumEgressProtectedThe number of in-scope endpoints that were always egress protected during the report interval.number
endpointsNumIngressUnprotectedThe number of in-scope endpoints that were ingress unprotected at any point during the report interval.number
endpointsNumEgressUnprotectedThe number of in-scope endpoints that were egress unprotected at any point during the report interval.number
endpointsNumIngressFromInternetThe number of in-scope endpoints that allowed ingress traffic from the public internet at any point during the report interval.number
endpointsNumEgressToInternetThe number of in-scope endpoints that allowed egress traffic to the public internet at any point during the report interval.number
endpointsNumIngressFromOtherNamespaceThe number of in-scope endpoints that allowed ingress traffic from another namespace at any point during the report interval.number
endpointsNumEgressToOtherNamespaceThe number of in-scope endpoints that allowed egress traffic to another namespace at any point during the report interval.number
endpointsNumEnvoyEnabledThe number of in-scope endpoints that were always Envoy enabled during the report interval.number

endpoints.csv

An endpoints CSV file that includes per-endpoint information.

HeadingDescriptionFormat
endpointThe name of the endpoint.string
ingressProtectedWhether the endpoint was always ingress protected during the report interval.bool
egressProtectedWhether the endpoint was always egress protected during the report interval.bool
ingressFromInternetWhether the endpoint allowed ingress traffic from the public internet at any point during the report interval.number
egressToInternetWhether the endpoint allowed egress traffic to the public internet at any point during the report interval.number
ingressFromOtherNamespaceWhether the endpoint allowed ingress traffic from another namespace at any point during the report interval.number
egressToOtherNamespaceWhether the endpoint allowed egress traffic to another namespace at any point during the report interval.number
envoyEnabledWhether the endpoint was always Envoy enabled during the report interval.bool
appliedPoliciesThe full set of policies that applied to the endpoint at any time during the report interval.";" separated list of policy names
servicesThe full set of services that included this endpoint at any time during the report interval.";" separated list of service names
trafficAggregationPrefix*The flow log aggregation prefix.string
endpointsGeneratingTrafficToThisEndpoint*The set of endpoints that were generating traffic to this endpoint.";" separated list of service names
endpointsReceivingTrafficFromThisEndpoint*The set of endpoints that this endpoint is generating traffic to.";" separated list of service names

* Traffic data is determined from flow logs. By default, Calico Cloud aggregates flow logs so that flows to and from pods in the same replica set are summarized if the flows are accepted. (Denied flows are not aggregated this way by default). This means that the per-endpoint traffic details do not refer specifically to that endpoint, but rather the set of endpoints specified by the trafficAggregationPrefix.

If you want per-endpoint detail you should turn down the level of aggregation. To do so, set the value of flowLogsFileAggregationKindForAllowed to 1 using a FelixConfiguration